USN-1505-1: OpenJDK 6 vulnerabilities

Ubuntu Security Notice USN-1505-1

icedtea-web, openjdk-6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Ubuntu 11.10

Ubuntu 11.04

Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenJDK 6.

Software description

icedtea-web
- A web browser plugin to execute Java applets

openjdk-6
- Open Source Java implementation

Details

It was discovered that multiple flaws existed in the CORBA (CommonObject Request Broker Architecture) implementation in OpenJDK. Anattacker could create a Java application or applet that used theseflaws to bypass Java sandbox restrictions or modify immutable objectdata. (CVE-2012-1711, CVE-2012-1719)

It was discovered that multiple flaws existed in the OpenJDK fontmanager's layout lookup implementation. A attacker could speciallycraft a font file that could cause a denial of service throughcrashing the JVM (Java Virtual Machine) or possibly execute arbitrarycode. (CVE-2012-1713)

It was discovered that the SynthLookAndFeel class from Swing inOpenJDK did not properly prevent access to certain UI elementsfrom outside the current application context. An attacker couldcreate a Java application or applet that used this flaw to cause adenial of service through crashing the JVM or bypass Java sandboxrestrictions. (CVE-2012-1716)

It was discovered that OpenJDK runtime library classes could createtemporary files with insecure permissions. A local attacker coulduse this to gain access to sensitive information. (CVE-2012-1717)

It was discovered that OpenJDK did not handle CRLs (CertificateRevocation Lists) properly. A remote attacker could use this to gainaccess to sensitive information. (CVE-2012-1718)

It was discovered that the OpenJDK HotSpot Virtual Machine did notproperly verify the bytecode of the class to be executed. A remoteattacker could create a Java application or applet that used thisto cause a denial of service through crashing the JVM or bypass Javasandbox restrictions. (CVE-2012-1723, CVE-2012-1725)

It was discovered that the OpenJDK XML (Extensible Markup Language)parser did not properly handle some XML documents. An attacker couldcreate an XML document that caused a denial of service in a Javaapplication or applet parsing the document. (CVE-2012-1724)

As part of this update, the IcedTea web browser applet plugin wasupdated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.

Update instructions

The problem can be corrected by updating your system to the following
package version: